DOJ Fires New Encryption Warning Shot At Silicon Valley

Deputy Attorney General Rod Rosenstein has made it clear that law enforcement must have access to secure devices to be able to deter and solve crimes, and that high tech has to be part of the solution.

It was not a new call for comity, but had an added sense of urgency given the pace of the "internet of everything" world.

There has long been a tension, and in some cases a battle, between Washington and Silicon Valley over encryption, over protecting the security of user info and allowing the government to access it, but in a speech to Georgetown University Law Center's Cybercrime 2020 conference, Rosenstein signaled that Silicon Valley needs to come to the table with solutions, or else.

"Our generation benefits from amazing technological developments," he told the audience, according to remarks supplied by DOJ. "But the people who create and market new tools often do not consider all of the implications for public safety — how innocent users can be victimized by new technology, and how malicious users can misuse new technology. ... Companies collect tremendous amounts of information about their customers. Some users do not understand that the companies use that data for commercial advantage. And all users are vulnerable when criminals steal the data, and employ it victimize them in fraud schemes."

Facebook CEO Mark Zuckerberg, for instance has made that point on Capitol Hill, where he conceded to legislators that the social media tool he helped create to connect the world had been co-opted in some instances without Facebook's knowledge because they were focused on the pro-social uses and because it got so big so fast.

Rosenstein conceded that blind spot and did not shame high tech for it. "That is not their job," he said, but added: "It should be somebody’s job. At the Department of Justice, we accept it as part of our job."

But it was not Justice's province alone, he said, essentially signaling that pleading ignorance would no longer get a pass.

"We need technology companies and communications providers to accept responsibility for developing routine business practices that account for all the ways their products may be misused. And we need government agencies to develop investigative capabilities that keep up with enforcement challenges."

The crux of his speech was the need for designing tech products with law enforcement in mind, sort of an "emergency access by design" approach. For example, he cited Ray Ozzie, former CTO and chief software architect for Microsoft’s, who has he says has reportedly developed a system that could allow law enforcement access without "significantly" increasing security risks for users.

The "significantly" is important, implying there will have to be some security trade-off.

Rosenstein painted a dark — make that dark web — picture of the alternative to government and high tech working together, a world where bad actors can use devices and technologies with relative impunity, where "pedophiles teach each other how to evade detection on darknet message boards. Gangs plan murders using social media apps. And extortionists deliver their demands via email."

He said law enforcement had a duty to raise those alarms, and high tech had a duty to respond to them.

Rosenstein had three suggestions:

"First, we must place security on the same footing as novelty and convenience," he said, sort of an "emergency access by design" approach. He likened it to requiring buildings to disable elevators in a fire but also expecting them to be available to firemen to use if necessary. "Anticipating worst-case scenarios needs to be part of the development process."

Second, he said, "the private sector [needs] to coordinate with law enforcement agencies about emerging security issues, and work cooperatively to address them."

Finally, high tech has to recognize that "thwarting harmful, destructive activities enabled by technology is a moral imperative," and that helping law enforcement do that is in society's best interests, adding: "We cannot accept a culture in which technology companies work to defeat legitimate law enforcement activities."

"We depend on technology, but technology that lacks security can be a menace," he said, "and market forces do not require companies to anticipate and prevent misuse of their products."

Rosenstein said there was nothing "virtuous" about warrant-proof encryption, "where tech companies design their products or services in such a way that they claim it is impossible for them to assist in the execution of a court-authorized warrant."

The consequences of that, he said: "Without a concerted effort to to alter our trajectory, the malicious use of technology will be more pernicious and pervasive tomorrow than it is today, and even more difficult to combat."